Mastodawn

Niels Roetert Jul 15

And from the WTAF dept, quite a bombshell from ProPublica today:

"Microsoft is using engineers in China to help maintain the Defense Department’s computer systems — with minimal supervision by U.S. personnel — leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found."

"The arrangement, which was critical to Microsoft winning the federal government’s cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage."

"But these workers, known as “digital escorts,” often lack the technical expertise to police foreign engineers with far more advanced skills, ProPublica found. Some are former military personnel with little coding experience who are paid barely more than minimum wage for the work."

https://www.propublica.org/article/microsoft-digital-escorts-pentagon-defense-department-china-hackers?utm_source=bluesky&utm_medium=social&utm_campaign=propublica-bsky&utm_content=7-15

A Little-Known Microsoft Program Could Expose the Defense Department to Chinese Hackers

The Pentagon bans foreign citizens from accessing highly sensitive data, but Microsoft bypasses this by using engineers in China and elsewhere to remotely instruct American “escorts” who may lack expertise to identify malicious code.

ProPublica

@briankrebs lolololol

@briankrebs WCPGW there? Nothing, surely.

@briankrebs so it really does have to be "Assume compromise"

Mᴀʀᴋ VᴀɴᴅᴇWᴇᴛᴛᴇʀɪɴɢ Jul 15

@briankrebs Clearly the world in which we live has only the barest facade of sanity. I need coffee.

Martin Seeger Jul 15

@briankrebs And we thought the "Sovereign Digital Solution" would be typical German problem 🤪 🤪 🤪

Martin Seeger Jul 15

CC @CIO, this will amuse you greatly

Andreas K Jul 15

@masek
No it's a capitalist/neo-liberal problem.

In any sane world the government would operate security sensitive infrastructure with its own expertise internally.

And concerning Microsoft, at the latest after the embarrassing email incidents that demonstrated that MS is not capable to maintain a secure environment, there should have been consequences for any security related contracts/tenders.
@briankrebs

Martin Seeger Jul 15

@yacc143 The word "sane" is bearing a lot of load in that sentence 😄 @briankrebs

Andreas K Jul 15

@masek @briankrebs No it's the recognition, that when it comes to certain things like security (or bodily safety, or especially national security), it's not something that you can outsource, and rely on civil law to enforce the contract.

Simply because the court cannot make you whole again. It's a perfect example for “imminent danger”. Where you would ask a court to act before anything bad can happen.

Andreas K Jul 15

So yes, if a government outsources security critical infrastructure to an external provider, what are they going to do, if the provider fucks up? In practice, nothing.

And think about, even a “non-classified email system” is actually highly security relevant, due to its nature, that indirect stuff goes over it.

Andreas K Jul 15

And my personal evergreen are all these cool "management" systems (I call them mentally "commercial" RAT and C&C servers services, with a nice legal contract, and prepayment and no need to buy bitcoins).

Even if everything works as advertised, you are running something that quacks like more or less impressive ransomware, but this time they sent a phishing email to your CIO/CISO, not some unsuspecting users. And used a nice presentation as payload, how it helps to lower costs.

Andreas K Jul 15

Accountability, against approximating quickly $$ e^[-n} $$ for n against infinity.

Ask the CIOs that signed contracts with CrowdStrike, how that worked out for them. Caused two digit billions of damage, "damages" that Crowdstrike is willing to 'pay" are $80 millions of product credit.

(Are there projects how much damage $80m of CrowdStrike software can do?)

And CrowdStrike insists in the Delta lawsuit, that even if it's legal, and they lose, their contract limits them to single digit millions

Andreas K Jul 15

in damages. Delta had damages of $550m.

Whets your appetite for outsourcing critical functions to some shiny 3rd party, doesn't it?

Please note, that all these "management" systems tend to run their local agent as "administrator/system" or "root" (or even kernel level module), and because these companies cannot resist from bragging: "Be bagged 100 of the Fortune 500", they are basically advertising themselves as interesting entry points for advanced threats

Andreas K Jul 15

e.g. state level ones, that can afford to send in sleepers for 2-3 years, who then gain access to whole fleets of internal systems at a sizeable chunk of the Fortune-N selection, plus 1000s other companies.

And practically all these no matter how clever the architecture is, the cryptography is, etc, trust implicitly closed source updates done by people we know nothing about.

Andreas K Jul 15

Oh right, we just found out, MS uses very trustworthy Chinese nationals as engineers for the US government cloud that are supervised by even more trustworthy Americans, but who sadly often have absolutely no idea about IT. 👍

That's very friendly of MS, saves Chinese intelligence all the bothersome work of planting Western looking sleeper agents.

Anton Gerasimov Jul 15

@yacc143 It could be bureaucracy, not capitalism in this particular case. Anti-corruption laws often virtually force the government to choose the lowest bidder.

Andreas K Jul 15

@Oytis
Not really, they would just need to make transparent the criteria for the tender.

And having a clean history when it comes to certain events (like illegal hiring practices, having experience with projects that size, or having no security incidences of certain types) are pretty standard for tenders.

It's a myth that they have to go with the cheapest bidder, that's just the default criteria if there is no other.

Andreas K Jul 15

@Oytis
It just needs to be documented and be comprehensible how you arrived at the criteria.

My sister in law was responsible for a small 2 digit million euro budget, and as she always smirked, it's always a question of how you write the tender, with a certain experience the tender process is just an inconvenience that delays the buying process for some time, but you can basically always guarantee beforehand the winner, if you want to and have even a speck of a reason.

Florian Weber Jul 15

@masek @briankrebs wow, TIL the term “digital escorts”

Patrick Morris Miller Jul 15

@briankrebs Sufficiently advanced incompetence is indistinguishable from malice.

Rick Valenzuela Jul 15

@briankrebs definitely giving these vibes https://www.telegraph.co.uk/news/2024/08/02/britains-nuclear-submarine-software-designed-russia-belarus/

Britain's nuclear submarine software built by Belarusian engineers

Fears that coding work outsourced to Russia and its allies could pose national security threat

The Telegraph

@briankrebs sounds just like agentic AI but with extra steps to me

In the meanwhile, tens of thousands of US IT workers are still without work. Not many jobs require protectionism, but managing national infrastructure for any nation should be one of those.

Annelies Kamran, Ph.D.Jul 15

@undead @briankrebs this is what really gets me. We have qualified people here already, hire them!

@akamran @undead @briankrebs But they want to be paid properly, you know. It's definitely more lucrative to let the foreign spies into the system, than minimally reducing the shareholder value.

Annelies Kamran, Ph.D.Jul 15

@lbcp @undead @briankrebs

OvertonDoors Jul 15

@akamran @undead @briankrebs

No, that's simply impossible!

Commissions and bonus structures dictate that the hired candidate be under qualified and payed a negligible fraction of a competent engineer.

Externalizing harm isn't just a core corporate value at Microsoft, it's expected that managers make it part of their decision making processes.

Annelies Kamran, Ph.D.Jul 15

@OvertonDoors @undead @briankrebs ugh. I really hate it here.

Bun (he/they)Jul 15

@briankrebs damn. unsurprised tho.

Lazy B0y Jul 15

WCPGW?! 🤔

Holger Dyroff Jul 15

@briankrebs so while the US government was way smarter then the European Union in estsblishing gov only and digital sovereign environments they forgot that location, oversight, education and execution in a no-spy environment is also key. Did they look too much for price?

Chrismxtx Jul 15

@briankrebs but get rid of BYTE ownership because TikTok poses a security threat???Hmmm.

@briankrebs This is not new. The Clinton admin let Chinese "students" into USA national labs, where the "students" stole nuclear weapons secrets and anything else they could get their hands on.

These leaders are either internationalists who believe the world is safer if both sides have all the toys, or they are bought or compromised.

@briankrebs ohhh godddd

@briankrebs Maybe voting in an administration that fills offices with psycophants instead of well trained smart people who know what they are doing was not such a good idea…

ṫẎℭỚ◎ᾔ ṫ◎ℳ Jul 15

@briankrebs WTAF

is right 🤯

Marius (windsheep)

@briankrebs lol m(

"Hello, is this tech support? I want to start nuke.exe. It doesn't work."

WideEyedCurious 🇺🇸 💙 🇺🇦 & 🇨🇦Jul 15

@briankrebs Every time you think this stupid timeline is incapable of jumping the shark even more... 🙄

Darwin Woodka Jul 15

the HELL?

I admit to reading the first third and then thinking "this is fairly standard". Government contracts aren't especially super-awesome things to work on and large companies often can't attract expertise so vendors and contractors have far more influence than people think.

(Just yesterday I was instructing employees at a Canadian company that all Canadians would recognize in the shell commands needed for basic troubleshooting on a piece of important pre-production infrastructure, for example.)

James2.0 Jul 15

@briankrebs smrt

Al & Val's Modern Homesteading Jul 15

@briankrebs COULD expose??? It's been "exposed" from the very beginning. What Id EE OTTS.

It doesn't surprise me in the slightest.

20 years ago I was working on the design of a test instrument for the military. The company wanted to outsource the build to China.

I couldn't hire an engineer with a green card or a citizen of a Nato country to work on this design, but the entire thing could be sent to China to build.

Colin from Edinburgh, Oklahoma Jul 15

@briankrebs
Microsoft has been providing digital services to Russia throughout the duration of its war against Ukraine.

@briankrebs Could? Did. Full stop.

Local Wiseguy Jul 15

@briankrebs lmfao

Loki Scarlet Jul 15

@briankrebs Common Microsoft L. Government contracting out to Microsoft is literally everything wrong with the public sector combined with everything wrong with the private sector. Never shoulda legalized PPP.

@stefani @briankrebs neat trick: it's not "hacking" if you give your adversary access!

@briankrebs Rather, they can improve by switching to Russia, which is anyway a good friend of the government.
Scnr

[object Object]Jul 15

@briankrebs "digital escorts"

remoteControl Jul 15

@briankrebs sounds like a cool idea for some scifi movie. Oh, wait...

@briankrebs someone could write a very hard to find buffer overflow or other memory bugs and easily argue incompetence. Even if the overseer is competent, if the person writing the code doesn't have a security clearance, it isn't good enough for security sensitive applications. It is much easier to introduce a very complex and hard to find memory bug propositally than to recognize one.

That's a joke, isn't it?

Unbeleavable.

Methodist_Coloring_Book Jul 15

@briankrebs the even more fun part of this is DoD is using more of the MS ecosystem than ever before at all levels of classification..

contrasocial Jul 15

Hey look, more evidence that it was corporations all along that are responsible for the rise of China as a security threat.

eswillwalker Jul 15

@briankrebs So, basically, the federal government saved money by outsourcing high-paid American jobs to lower paid folks outside the US: US “officials raised the possibility of Microsoft ‘hiring a bunch of U.S. citizens to maintain the federal cloud’ directly, Crowley told ProPublica. For Microsoft, the suggestion was a nonstarter, Crowley said, because the increased labor costs of implementing it broadly would make a cloud transition prohibitively expensive for the government.”

@briankrebs 😂
#US geniuses everywhere 😂
not long ago some #Microsoft sales pitch
claimed "trusted business partner" 😂
sure, didn't buy it then and certainly not in the future

John G Fitzgerald Jul 15

@briankrebs #Chinasoft

jj the Santa Barbarian Jul 15

@briankrebs what could possibly go wrong?